Pimcore Search Document cross site scripting
Description
A vulnerability classified as problematic was found in Pimcore 11.4.2. Affected by this vulnerability is an unknown functionality of the component Search Document. The manipulation leads to basic cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pimcore 11.4.2 Search Document component has a stored XSS vulnerability via PDF upload, allowing remote authenticated attackers to inject arbitrary scripts.
Root
Cause
The vulnerability resides in the Search Document component of Pimcore 11.4.2. When a user uploads a PDF file via the "Add Asset(s)" functionality, the application fails to properly sanitize the content. As a result, embedded JavaScript within the PDF can be executed when the document is viewed through the search interface. This is a classic stored cross-site scripting (XSS) flaw [1][3].
Exploitation
An attacker with an authenticated session (e.g., Administrator role) can upload a malicious PDF containing embedded scripts. The crafted document is then accessible via the Search Document functionality. Notably, the advisory states that the XSS payload can be served without authentication if the direct PDF URL is known, widening the attack surface to unauthenticated users who can access the uploaded asset path [3].
Impact
Successful exploitation allows arbitrary script execution in the context of the victim's browser. This can lead to session hijacking, defacement of web pages, or theft of sensitive information. Because scripts run under the Pimcore admin session, an attacker could perform administrative actions on behalf of the target, compromising the entire data management platform [1][3].
Mitigation
As of publication, the vulnerability is publicly disclosed with a proof of concept. No patch has been referenced in the available sources; users should monitor the Pimcore repository and security advisories for updates. In the interim, restricting PDF uploads to trusted roles and filtering file content may reduce risk [2][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pimcore/pimcorePackagist | >= 11.4.2, < 11.5.3 | 11.5.3 |
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/pimcore/pimcore/security/advisories/GHSA-xr3m-6gq6-22cgghsaexploitWEB
- github.com/advisories/GHSA-xr3m-6gq6-22cgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-11954ghsaADVISORY
- vuldb.commitrethird-party-advisory
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.commitrevdb-entry
News mentions
0No linked articles in our index yet.